Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.

Many applications, both clients and servers, are not properly checking
the constraints of SSL certificates. Attackers can use their normally
signed certificate to sign other certificates, basically acting like a
'quasi-certificate authority,' even though their original certificates
are constrained as end-user/host certificates. The end result is that
attackers can sign arbitrary certificates and vulnerable applications
will believe them valid. Vulnerable applications reported in this issue
include the Tinyssl library ({02.33.005}), KDE Konqueror ({02.33.043})
and Microsoft IIS ({02.33.041}).

Microsoft released MS02-042 ("Network Connection Manager callback code
execution"). The Network Connection Manager shipped with Windows 2000
allows the user to specify the execution of a callback function when
a network connection is established. Unfortunately, this function is
executed with local system privileges, thus allowing a local attacker
to gain administrative/system access.

Microsoft released MS02-043 ("SQL Server cumulative patch"). This
cumulative patch fixes all known problems to date in MS SQL Server
7.0 and 2000 as well as in MSDE 1.0 and 2000. It also fixes a new bug,
whereby an attacker capable of running stored procedures can execute
arbitrary SQL with administrative privileges.

The WebEasyMail suite version 3.4.2.2 contains a format string
vulnerability in the handling of SMTP commands. It also contains an
information disclosure bug in the POP service that allows a remote
attacker to brute force valid user names.

Windows XP running Internet Explorer 6.x comes with a 'Help and
Support Center' software feature that is a suite of help-related
files and functions used both internally by Windows XP and external
by Web sites. However, a bug allows a malicious Web site (or e-mail)
to delete arbitrary files on the user's system by tricking the user's
browser into making a particular request.

A released advisory indicates it's possible for a local attacker to
use NTFS hard links to obfuscate file audint logs. Basically, the
logs will contain entries for an arbitrary file name rather than the
actual file name, so it may not be apparent which file is the target
of the various audited events.

The advisory indicates confirmation by the vendor, which released a
fix in Windows 2000 SP3.

MS SQL Server versions 7 and 2000 reportedly contain a bug in the way
users can submit jobs to the SQL agent. Basically, they can specify
a file for the output that will overwrite any existing file already
on the file system.

An advisory indicates that Trillian version 0.73 has a buffer
overflow in the handling of the PING response by the IRC module as
well as format string handling errors in IRC invite responses. These
bugs may allow a malicious server to execute arbitrary code on the
user's system.

MyWebServer version 1.0.2 reportedly contains three vulnerabilities:
a buffer overflow in the search functionality, which may allow remote
execution of arbitrary code; a cross-site scripting bug in the handling
of nonexistent URL requests; and disclosure of the physical path.

The Microsoft File Transfer Manager ActiveX control is a
Microsoft-signed control used for handling file downloads from premium
Microsoft sites. The control contains a buffer overflow that could
lead to the execution of arbitrary code. It also allows a remote Web
site to schedule file uploads and downloads without user intervention.

A FreeBSD advisory indicates various system calls, including accept(),
getsockname(), getpeername() and a particular ioctl(), do not properly
handle signed parameters, potentially exposing kernel memory.

A Novell advisory indicates the NetBasic handler shipped with various
Web services included with Netware 5.1 and 6.0 contains multiple
vulnerabilities, including a buffer overflow and the ability to
execute arbitrary NSN scripts on the SYS volume.

A Novell advisory indicates the Perl handler shipped with various
Web services included with Netware 5.1 and 6.0 contains multiple
vulnerabilities, including the ability to execute arbitrary Perl
scripts via an HTTP POST request and to execute Perl scripts outside
the Web root.

When a version of IRIX prior to 6.5.13 is upgraded to 6.5.13 or after,
the Ethernet MAC address on Origin 3000 system changes. This may
affect sites that do filtering/firewalling based on MAC addresses.

The Gateway GS-400 NAS server comes preinstalled with a default
root password and does not offer any method to change it. Thus,
remote attackers can potentially telnet to the device (on port 1023)
and compromise the system.

The advisory indicates the vendor does not support the product; thus,
a fix will not be released.

The Tinyssl library prior to version 1.03 ignores the basic constraints
on client certificates, potentially allowing a remote attacker to
present what appears to be valid, trusted SSL certificates to the
application using Tinyssl.

The Oracle listener control utility is vulnerable to a format string
vulnerability, potentially allowing an attacker to execute arbitrary
code on the administrator's system, which runs the remote listener
control utility.

The Web Shop Manager CGI suite version 1.1 reportedly contains a
vulnerability in the handling of the search parameters that allows
a remote attacker to execute arbitrary command-line commands under
the privileges of the Web server.

The PHP-affiliate CGI suite version 1.0 reportedly does not correctly
verify hidden parameters passed to the details2.php script. This
allows a remote attacker to edit the arbitrary users' information.

The FUDForum CGI suite prior to version 2.2.0 contains vulnerabilities
in the tmp_view.php and admbrowse.php scripts that allow a remote
attacker to read and potentially manipulate files outside the Web root.

The vendor confirmed these vulnerabilities and released version 2.2.0.

Tomahawk's Steelarrow contains two buffer overflows (one in the
handling of cookies and one in the handling of chunked client
requests) that could allow a remote attacker to execute arbitrary
code on the system.

The l2tpd daemon prior to version 0.68 does not properly generate
random data, thereby causing the randomness to be predictable. This
decreases the security of various cryptographic components, including
the generation of the authentication challenge.

The vendor confirmed this vulnerability and released version
0.68. Updates are available at:
http://www.l2tpd.org/

The KDE Konqueror prior to version 3.0.3 ignores the basic constraints
on client certificates, potentially allowing a remote attacker to
present what appear to be valid, trusted SSL certificates to the
user's browser.

The C_Verify function shipped in the nCipher cryptographic library
always indicates that a symmetric signature is valid, even if it is
invalid. Products based on this library using the affected function
are vulnerable.

The vendor confirmed this vulnerability. Updates are available by
contacting nCipher.

The scponly utility, used to limit users to only using scp/sftp,
contains a bug that potentially allows a user to upload an environment
file to their .ssh directory and to circumvent the restrictions
scponly is supposed to enforce.

This vulnerability is not confirmed. Third-party workarounds are
explained in the reference URL below.

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl